Ransomware on IoT: Different security approach needed for IoT devices

Sicherheit (Pexels, allgemeine Nutzung)[German]We've probably become accustomed to daily ransomware attacks on IT systems. But with the rise of IoT devices, there is a growing threat of such security incidents. CheckPoint says IoT devices need a different security approach to counter this threat (e.g., ransomware infections). I'll post the information I have from CheckPoint here on the blog for your information.


The Internet of Things has some advantages, but the problem are the vulnerabilities in devices, and various incidents of attacks on IoT devices prove this. And even more concerning, attacks on IoT devices are increasing daily. In the process, these attacks are becoming more sophisticated and destructive, which is becoming a problem for every business (but also consumers).

In many incidents, hundreds of thousands of connected devices were infected with malware that spread throughout the network, compromising PCs, servers and internal assets with ransomware, crypto miners, Trojans, botnets and more. Here's a look at why these vulnerabilities exist, how cybercriminals gain access and how to implement some best practices to protect organizations from cyberattacks.

The attack gateways

In the world of cybersecurity, any protection mechanism is only as strong as its weakest link. This is true for a single device as well as an entire network. This weakest link in a network is devices at the edge of the network that are accessible via the Internet. This includes many different types of devices from IP cameras, routers, and sensors on company premises to devices that are deployed on site, such as gas pumps, EV chargers, and ATMs. All of these devices are connected to the Internet and intended for remote access.

IoT: Einfallstore für Angreifer
An attack on IoT devices

The network environment

When attackers attempt to penetrate a network, they typically scan the environment for these connected devices that they can potentially use as entry points into the network. IoT devices are practically a useful springboard for cyberattacks because they often run outdated software or are not monitored for security events.


Due to the scale and wide variety of these devices, traditional incident response measures may not be as effective as usual. For example, a single university campus may host dozens of different devices. When so many devices on a network are attacked at once, it is difficult to keep track of where the vulnerabilities lie. It's also important to know that there is never just one point of failure.

What happens next

An attack campaign is not comparable to a "hit and run" scenario. Sometimes attackers hide in plain sight for a long time, waiting for the right moment to strike while they conduct reconnaissance missions to familiarize themselves with their potential victim's network. In an attack, one of the attacker's goals is to move throughout the target network. They want to move freely throughout the network and attack other internal assets and facilities.

By exploiting servers, PCs, and common office devices such as printers and routers, attackers enhance their ability to gain broader control over the network. Often, attackers exploit this control for various purposes such as data theft, extortion and more. What started as a simple gap in a set of devices can quickly evolve into a full-blown attack campaign with potentially devastating consequences.

Examples of attacks on IoT devices

Once a ransomware infection has entered the network, it can attach itself to so many devices that it becomes almost impossible to remove. An infamous example of such a case, where an IoT device network was hijacked, is presented in the R4IoT research paper published by Vedere Labs. The attack described there began by exploiting vulnerabilities in Axis cameras (CVE-2018-10660, CVE-2018-10661) and a Zyxel NAS (CVE-2020-9054).

Through these network bases, the malware was able to spread laterally to take over other numerous network components, steal information, and infect other devices with ransomware. In this case, security researchers were able to exploit old vulnerabilities just to demonstrate the effect of malware on devices with unpatched firmware. These vulnerabilities allow attackers to gain full access through an unauthenticated interface on the device.

Another example of an attack scenario (CVE-2022-29499) was recently discovered in Mitel IP Phones. This vulnerability allowed attackers to execute arbitrary commands on these devices, essentially allowing attackers to do whatever they wanted. Unlike the vulnerabilities highlighted in the R4IoT research paper, which can be addressed with traditional signature-based products, attackers exploiting this Mitel vulnerability can go about their business virtually unhindered.

Malware attacks easy to initiate

It's hard to believe how easy it is to initiate malware attacks. Often, attacks like the ones mentioned above can be acquired inexpensively through unregulated markets. A few weeks ago, the U.S. Department of Justice seized a website called RSOCKS (see Russian RSOCKS botnet taken down in international operation).

RSOCKS seized
RSOCKS seized

This was a Russia-based web service that sold proxies that attackers often used for crypto-mining activities, DDOS attacks, and more.

Most attackers were able to gain control of network-connected devices and assets by simply using default credentials or guessing weak passwords. This method of guessing credentials or trying out default usernames and passwords amassed a malicious network of more than 350,000 personal, office and home devices.


IoT device vendors are exceptional in their field when it comes to ensuring their products work as intended. However, these same device manufacturers are far from security experts. In today's cyber landscape, it is critical that devices and assets connected to the enterprise network are secure and protected from the next attack.

CheckPoint comments: It's impractical to deploy patch after patch for every vulnerability and exploit that surfaces in the wild. And even when software vendors issue regular updates for devices, research shows that operators and end users often fail to maintain and keep their devices up to date. What's needed in this case is a future-proof solution that can remove these obstacles.

Cybersecurity in the IoT world will therefore remain an issue for a long time to come, with new innovations on both sides all the time. Basic security solutions for monitoring and detection are no longer enough in today's modern cyber landscape. Without a cybersecurity solution that can detect and prevent cyberattacks in real time, we cannot hope to win against the cybercriminals.

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *